Information Classification in Information Security Management and its Challenges

Abstract: Information classification is a prerequisite for carrying out risk management in information security, as the assets worth protecting are identified and the need for protection is determined by the classification categories. The information classification thus has a major impact on the security architecture of systems and organizations. Nevertheless, information classification leads a shadowy existence in the scientific literature, which is reflected in a limited number of scientific publications. This discrepancy between the relevance of information classification in risk management and its low scientific attention was the motivation to take a closer look at the topic. This thesis created an overview of the current state of research in information classification and shed some light on potential problems to stimulate new research questions. The results of the work include a current overview of the status of research on information classification in risk management of information security and its context to other academic disciplines and practical needs, particularly research on bias and systems engineering. This thesis also summarized a total of 109 individual research gaps in information classification research, derived from the evaluation of the scientific literature and on the conclusions of identified open questions. From the gaps identified, some suggestions for future research in the field of information classification could be made.